hpr2934 :: Server Basics 106: Namespaces and containers
Klaatu talks about the unshare and lxc commands
Hosted by Klaatu on 2019-10-31 is flagged as Clean and is released under a CC-BY-SA license.
Listen in ogg, spx, or mp3 format. | Comments (0).
Namespaces provide context and constraints for processes on a Linux system. They are utilised by the infrastructure of "the cloud" to create distinct "containers", in which processes may run without awareness of the system they are actually running upon.
// prove you are not running some process $ pidof tcsh // nothing $ sudo pidof tcsh // nothing // launch tcsh in a new namespace with unshare: $ sudo unshare --fork --pid --mount-proc tcsh // from within that session: # pidof tcsh 1 // wait what?? // yes tcsh is the first pid of its own namespace // from another term $ ps 1 init $ pidof tcsh 26814 // from inside the namespace, pid is seen as 1 // from outside, pid is normal $ ps tree | less // search for tcsh // See evidence of namespaces: $ ls /proc/*/ns $ ls /proc/26814/ns ipc net pid user uts [...]
To see this in action for a slightly more pragmatic purpose, you can use the
The LXC system uses namespaces and cgroups to create functional containers that act, more or less, like a Virtual Machine, except that they are built in containers so that they do not have to emulate hardware.
If your system doesn't have LXC installed, first install it:
$ sudo dnf install lxc lxc-templates lxc-doc // on Ubuntu or Debian: $ apt install lxc
You also need to create a network bridge so that your container and your host system (that's the computer you're sitting in front of right now) can communicate.
$ sudo ip link add br0 type bridge $ sudo ip addr show br0 7: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 26:fa:21:5f:cf:99 brd ff:ff:ff:ff:ff:ff
Now give your bridge device an IP address that doesn't conflict with any existing IP address on your network:
$ sudo ip addr add 192.168.168.168 dev br0 $ sudo ip link set br0 up
Create a configuration for your container. You can base this on the samples provided by lxc (located in /usr/share/docs/lxc or similar). Everything but veth, br0, and up is arbitrary. You can make up all the values.
lxc.utsname = hackerpublicradio lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.hwaddr = 4a:49:43:49:79:bd lxc.network.ipv4 = 192.168.168.1/24 lxc.network.ipv6 = 2003:db8:1:0:214:c0ff:ee0b:3596
Now install an OS into your container. OS templates are provided by LXC in /usr/share/doc/lxc/templates or a similar location.
$ ls -m /usr/share/lxc/templates/ lxc-alpine, lxc-altlinux, lxc-archlinux, lxc-busybox, lxc-centos [...]
Choose a template and install. I use Alpine in the recorded show, because it's supposed to be really small. I don't necessarily recommend Alpine. I recommend Slackware, of course.
$ sudo lxc-create --name slackware --template slackware
Once the install is done, start your container:
$ sudo lxc-start --name slackware --rcfile ~/mycontainer.conf
Now attach to the container:
$ sudo lxc-attach --name slackware #
Run a command.
# uname -av Linux hackerpublicradio 5.3.0.x86_64 #1 SMP Wed Oct 10 18:34:01 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
This is the technology that Docker and OCI projects use to create containers. And when a bunch of containers start swarming around on a bunch of hosts, you eventually end up with a cloud. How do you manage all of these things? That will be the topic for the next entry in this series, I'll bet.